THE  GRILL:  Networking  visionary  Rob  Faludi  talks  about  monitoring  energy 
consumption  and  introducing  your  toaster  to  your  smoke  alarm.  PAGE  18 


COMPUIERWORLD 


VOL.  43.  NO  17  S5/C0PY 


SAP  slows  down  price 
increases  on  software 
support.  But  they’re 
still  coming,  page  io 

IT  managers  prep  for 
a  possible  pandemic 
amid  budget  cutbacks 
and  layoffs,  page  14 

The  time  has  come  for 
wireless  apps  to  play 
a  big  role  in  health 
care  -  if  proponents 
are  right,  page  16 


Recognize  these  five 
signs  that  your  IT 
project  is  in  trouble 
-  before  it’s  too  late 
to  fix  it.  PAGE  36 


An  IT  training  firm 
is  offering  special 
deals  to  unemployed 
workers,  page  37 


When  someone  says, 
‘The  Internet  is  down,' 
what  does  that  really 
mean?  page  34 


COMPUTERWORLD.COM 


COMPUTERWORLD 


1-877-GO-1AND1 


a  successful  website 


them  -  can  cripple  a  country.  Could  it  happen  in  the  U.S.? 

‘The  Internet  Is  Down.’ 

What  Does  That  Really  Mean? 

The  Internet  is  still  there  -  we  just  say  it's  "down"  because 
we  can't  get  to  it.  The  question  is,  why  can’t  we  get  to  it? 


INTERNET  WARFARE: 

Where  Are  We  Most  Vulnerable? 


vulnerable  to  attack. 

Russia’s  Cyberblockade 
Of  Georgia  Worked 


■  NEWS 

10  User  groups  persuade  SAP  to  ex¬ 
tend  the  phase-in  period  for  higher 
software  support  fees.  |  IBM 
unveils  a  new  supercomputer  de¬ 
signed  to  let  it  compete  with  humans 
on  the  TV  game  show  Jeopardy. 

11 A  Microsoft  Windows  7  tool 
that  lets  users  run  Windows  XP 
apps  in  a  virtual  machine  could 
create  support  nightmares,  analysts 
warn.  |  Sim  reports  another  sharp 
drop  in  quarterly  revenue. 

12  Critics  are  raising  questions 
about  growing  calls  for  the  White 
House  to  play  a  leading  role  in  co¬ 
ordinating  cybersecurity  efforts 
for  the  government  and  key  private- 


14  IT  Faces  Possible 
Pandemic  Amid 
Budget  Cutbacks. 

Decreased  funding  and 
layoffs  present  a  chal¬ 
lenge  to  IT  managers 
who  must  take  steps  to 
deal  with  a  possible  flu 


e 


think  it's  ready  for  atakeoff  in  adop¬ 
tion.  But  is  that  a  sound  prediction  or 
a  case  of  cockeyed  optimism? 

■  OPINION 

B  Editor's  Note:  Don  Tennant 

is  perturbed  by  the  level  of  disagree¬ 
ableness  that  people  exhibit  when 
they  disagree  over  things  like  the 
iPhone  Baby  Shaker  app. 

36  Paul  Glen  says  that  although 
it's  true  that  the  recession  is  killing  a 
lot  of  projects,  yours  may  be  dying  of 
natural  causes. 

40 Frankly  Speaking:  Frank 
Hayes  sets  the  record  straight  on 
swine  flu:  The  pandemic  panic  ped¬ 
dlers  have  things  backward. 


■  DEPARTMENTS 

18  The  Grill:  Networking  expert 
Rob  Faludi  wants  to  introduce  your 
toaster  to  your  smoke  alarm  and  help 
you  bond  with  your  plants. 

35  Security  Manager's 
Journal:  In  the  Trenches,  as 
the  Threats  Evolve.  We've  gone 
from  free-floating  malware  to  target¬ 
ed  attacks  to  organized  international 
crime.  What  will  be  next? 


37  Career  Watch:  Are  layoffs  too 
expensive?  One  researcher  says  they 
could  be. 


■  ALSO  IN  THIS  ISSUE 
Online  Chatter 
Company  Index 


INTERNET  WARFARE: 


22  Software: 

The  Eternal  Battlefield 

Most  attacks  against  computer  systems  exploit  software 
weaknesses.  The  old  protections  are  no  longer  enough. 

30  New 
Ground  Zero: 
The  Electric 
Power  Grid 

Experts  agree  that  the 
electric  power  grid  is  the 
piece  of  the  critical  infra¬ 
structure  that's  most 
vulnerable  to  attack. 

33  Russia’s  Cyberblockade 
Of  Georgia  Worked 

Lesson  learned:  DDoS  attacks  -  and  the  responses  to 
them  -  can  cripple  a  country.  Could  it  happen  in  the  U.S.? 

34  ‘The  Internet  Is  Down.’ 
What  Does  That  Really  Mean? 


TO  KNOW. 


■  EDITOR’S  NOTE 

Don  Tennant 

F 

■% 

Blaring  the  Horn 

mu 

every  statement  in  every 
opinion  piece,  nor  would 
it  be  inclined  to  do  so.  I 

UESTION:  What’s  the  difference  between  Win¬ 
dows  Vista  and  the  infamous  Baby  Shaker  appli¬ 
cation?  Answer:  One  is  an  abomination  that  epito¬ 
mizes  everything  that’s  wrong  with  the  garbage 
that  clueless  software  developers  are  dumping 
on  consumers  of  technology.  The  other  runs  on  an  iPhone. 

Now,  if  that  offended  you.  of  families  that  suffer  of  this  sick  application"  and 

added  for  clarity  that  if  the 
column  had  been  submitted 
to  me  for  approval,  I  would 
have  unhesitatingly  signed 
off  on  it.  “Bloggers  and  col¬ 
umnists  need  to  be  free  to 
express  their  opinions  with¬ 
out  being  concerned  about 
running  afoul  of  the  edito¬ 
rial  leadership.”  1  wrote. 

Again,  what  surfaced 
seemed  akin  to  road  rage. 

at  least  hear  me  out  I’m  from  the  consequences  of  the  development  of  "a  sig- 

just  trying  to  make  a  point.  shaken  baby  syndrome.  nificant  plan  to  reverse  the 

Let’s  start  with  the  sick  Certainly  the  Baby  Shaker  damage  they  have  caused” 

Baby  Shaker  app  that  Apple  app  controversy  presented  —  it  would  hold  demon- 

This  reader,  the  president  of 
a  software  vendor  in  Gran¬ 
ite  Bay,  Calif-  responded  by 
informing  me  that  “comput- 

"there  are  many  other 
iPhone  applications  you 
could  be  better  spending 
your  time  and  money  on.” 

Less  satisfied  with  those 
statements  was  the  Sarah 
Jane  Brain  Foundation, 
an  organization  that  does 
wonderful  work  on  behalf 


■  We  need  to  be 
more  tolerant  so 
that  we  can  focus 
on  addressing  the 
serious  matters 
that  confront  us. 


the  statement  is  “insulting” 
to  readers.  “What  the  hell 
are  you  thinking?” 

I  explained  to  the  reader 
that  the  editorial  buck  actu¬ 
ally  stops  with  Scot  Finnie, 
our  editor  in  chief,  but  that 
the  editorial  management 
couldn't  possibly  approve 


world’s  senior  editor- 
at-large.  You  can  contact 
him  at  don_tennant@ 
computerworld.com, 
visit  his  blog  at  http:// 
blogs.computerworld.com/ 
tennant,  and  follow  him  on 
Twitter  at  http://twitter. 
com/dontennant. 


COMPUTERWORIO 


Converged  Solutions  from  Sprint  uses  a  flexible  IP  core  for  your  company's  voice,  video  and  data 
communications.  With  technology  like  Wireless  Integration,  your  mobile  has  all  the  functions 
of  your  desk  phone.  So  you  and  your  workforce  can  adapt  to  / ust  about  every  situation  you  find 


Sprint 


Give  your  company  the  flexibility  to 
adapt  to  any  business  environment. 


■  ONLINE  CHATTER 


CUMrUltKWUKU) 

P.O.  Box  9171, 1  Speen  Street 
Framingham,  MA  01701 
(508)  879-0700 

Computerworid.com 


Editor  la  Chief  Scot  Finnie 
Senier  Editor-et-Larpe  Don  Tennant 
Executive  EdHon  Mitch  Betts. 

Julia  King  (events) 

Managing  Edttore  Michele  Lee  DeFilipno 
(production).  Sharon  Machfe  (online). 

Ken  Mingis  (news) 

Design  Director  Stephanie  Faucher 
Director  of  Blogs  Joyce  Carpenter 
Technologies  Editor  Johanna  Ambrosio 
Features  Edttore  Kathleen  Metymufca. 

Valerie  Potter.  Hen  Fanning  (special  reports). 
Barbara  Krasnoit  (reviews) 

Senier  Editor  Mike  Barton  (new  media) 
Senior  Nows  Editor  Craig  Stedman 
News  Editors  Mike  Bucken.  Marian  Prokop 
National  Correspondents  Gary  Anthes. 

Julia  King.  Robert  L  Mitchell 
Reporters  Sharon  6autfn,  Matt  Hamblen. 
Gregg  Keizer.  Eric  Lai  Lucas  Mearian. 

Patrick  Thibodeau.  Jaikumar  Vi|ayan 
Features  Writer,  Video  Editor  David  Ramel 
Assistant  Managing  Edttor  Bob  Rawson 

Senior  News  Columnist  Frank  Hayes 
Art  Director  April  Montgomery 


RESPONSES  TO: 

Why  I  Use  Linux 

April  21, 2009 


I  don't  get  why  people  writing  arti¬ 
cles  on  the  Internet  constantly  have 
to  write  this  rubbish  about  why 
they  love  Linux  and  why  everyone 
should  switch  to  it. 

■  Submitted  by:  Anonymous 

Microsoft  pushes  its  beliefs  (valid 
or  otherwise)  at  me  all  the  time 
with  advertising  and  marketing. 
Why  shouldn’t  people  who  prefer 
a  (frankly  better)  computer  experi¬ 
ence  let  others  know  about  it?  The 
worst  that  could  happen  is  that 
Microsoft  might  improve  its  oper¬ 
ating  system  —  compete  on  merit, 
that  kind  of  thing. 

■  Submitted  by:  David  Freehug 


RESPONSES  TO: 

Don’t  Sign  Away  Your 
Future:  Noncompetes 
Done  Right 

April  23, 2009 


The  author  assumes  you  have  a 


The  first  company  I  worked  for 
implemented  a  noncompete  clause 
for  sales  staff  that  prohibited  them 
from  working  in  computer  sales  for 
any  other  company  for  a  year.  To 
make  things  worse,  this  company 
was  going  down  the  tubes  at  the 
time.  Some  salespeople  were  able  to 
jump  ship,  but  it  was  1987,  around 
the  time  of  the  big  Dow  Jones  crash, 
and  sales  jobs  were  about  as  plenti¬ 
ful  as  they  are  now  —  meaning  peo¬ 
ple  were  happy  to  have  a  job.  Many 
of  these  people  were  specialized  in 
computer  hardware  and  good  at  it. 
Sure,  they  could  have  started  selling 
insurance  or  something,  but  that 
would  have  been  a  waste  of  their 

■  Submitted  by:  Aardvark 

A  contract  that  benefits  only  one 
side  is  not  a  contract!  Slavery 
was  made  illegal  in  the  U.S.  some 
years  ago. 

■  Submitted  by:  Dr  Bob  Hacker 

RESPONSE  TO: 

#amazonfail 

April  20, 2009 


I'll  bet  Amazon  was  trying  to  do 


tintly  by  thrc 


SQM  I (211  SQM  sqm  SQM 

SMI  S1MI  stNI  sltll  sliH 
S2MI  S2NI  S2MI  S2NI  S2MI 


SUPERCOMPUTWG 

IBM  Plans 
Human-Machine 
Jeopardy  Match 

IBM  last  week  unveiled  an 
advanced  computing  system 
that  engineers  hope  can 
compete  against  humans  on 
the  long-running  television 
game  show  Jeopardy. 

The  system,  known  as 
Watson,  runs  new  software 
called  Question  Answering 
(QA),  which  was  designed  to 
understand  complex  ques¬ 
tions  and  to  answer  them 
quickly  enough  to  compete 
on  a  rapid-fire  show  like 
Jeopardy,  according  to  IBM. 

David  Femicci,  who  heads 
the  Watson  project  team, 
said  QA's  developers  were 
faced  with  the  challenge  of 
developing  a  supercomputer 
that  “can  rival  the  human 
mind's  ability  to  determine 
precise  answers  to  natural- 
language  questions' 

An  IBM  spokesman  would 
not  identify  the  processor 
that  will  run  the  Watson 
machine,  nor  would  he  say 
how  fast  it  will  be  able  to 
process  data. 

-  SHARON  GAUDIN 


Ifcii  sill 


SAP  Slows  Price  Hike  on 
Forced  Support  Switch 

BOWING  TO  pressure  i  angry  customers  last  fall, 
from  user  groups,  SAP  sweetened  some  of 

SAP  AG  last  week  the  program’s  features  and 


user  groups  want  proof.  To 
try  to  get  it,  the  KPIs  will 
be  used  in  a  joint  bench-  ; 
marking  program,  with  the 
results  to  be  examined  by  an 
independent  auditor. 

The  deal  isn’t  perfect,  said  ; 


compete  against  huma 
the  long-running  television 
game  show  Jeopardy. 

The  system,  known  as 
Watson,  runs  new  software 
called  Question  Answering 
(QA),  which  was  designed  to 
understand  complex  ques- 
tions  and  to  answer  them 
quickly  enough  to  compete 

Jeopardy,  according  to  IBM. 

David  Ferrucci,  who  heads 
the  Watson  project  team, 
said  QA's  developers  were 
faced  with  the  challenge  of 
developing  a  supercomputer 
that  "can  rival  the  human 
mind's  ability  to  determine 

language  questions." 

An  IBM  spokesman  would 
not  identify  the  processor 
that  will  run  the  Watson 
machine,  nor  would  he  say 
how  fast  it  will  be  able  to 

-  SHARON  GAUOIN 


■  NEWS  DIGEST 


Virtual  XP  Mode  Could 
Cause  Support  Woes 


Sun  Reports  Its  Sales  Took 
A  Big  rat  in  Last  Quarter 


SUN  MICROSYSTEMS  INC.  last 
week  reported  another  sharp 
drop  in  revenue  for  its  fiscal 
third  quarter,  during  which  the 
company  battled  uncertainty 
about  its  future  along  with  the 

Reports  that  Sun  was  dis¬ 
cussing  an  acquisition  with  IBM 
surfaced  in  mid-March,  and  the 
vendor  eventually  agreed  to  sell 


itself  to  Oracle  Corp.  two  weeks 
ago.  Analysts  said  the  rumors 
could  disrupt  Sun's  efforts  to 
close  deals  late  in  the  quarter 
that  ended  March  29,  and  that 
appears  to  have  happened. 

Sun  said  its  Q3  revenue 
was  S2.61  billion,  down  20% 


by  26%  from  last  year's  third 
quarter,  according  to  Sun. 

"There  were  few  product  cat¬ 
egories  that  had  any  success 
this  past  quarter,"  said  Gartner 


in  each  of  them.  The  company 
didn't  hold  a  conference  call  on 
the  third-quarter  results,  and 

ments  in  the  earnings  report, 
presumably  because  of  Oracle's 
pending  acquisition. 

-  JAMES  NICCOLAI. 
IDS  NEWS  SERVICE 


NEWS  DIGEST 


Critics  Argue  Against  a 
White  House  Security  Lead 


BENCHMARKS  LAST  WEEK 


search  at  Microsoft  Corp., 
to  his  council  of  science  and 
technology  advisers. 


EU  Official  Sees 
Need  for  Cyberchief 

-  Viviane  Red¬ 
ing.  European  Commissioner 
for  Information  Society  and 
Media,  last  week  called  on  the 


structure  in  the  EU  over  the 
next  10  years.  “A  one-month- 
tong  Internet  interruption  in 
Europe  would  mean  economic 
losses  of  at  least  €150  billion 
[S199  billion  U.S.]"she  said. 


Europe  Awards 
OS  Research  Grant 


The  president  rightly 
should  be  responsible  for 
"declaring  [cyber]  war,” 
with  input  from  Congres: 


Global 

Dispatcl 


2004.  The  NCTC  is  part  of 
the  Office  of  the  Director 
of  National  Intelligence,  a 
setup  that  allows  Congress 
to  play  a  role,  Collins  said. 


ispatches 


EU  Official  Sees 
Need  for  Cyberchief 


second  bill  that  would  give 
the  White  House  more  con¬ 
trol  over  security  efforts 
was  introduced  in  the  Sen- 


BRUSSELS-Vhriane  Red¬ 
ing,  European  Commissioner 
for  Information  Society  and 
Media,  last  week  called  on  the 
European  Union  to  hire  a  top- 
level  cyber  security  official  to 
plan  for  and  manage  the  EU's 


proposed  by  Sen.  Thomas 
Carper  (D-Del.)  would  es¬ 
tablish  a  National  Office  for 
Cyberspace  whose  director 
would  be  appointed  by  and 
report  to  the  president. 


last  month  by  Sens.  Jay 
Rockefeller  (D-WVa.)  and 
Olympia  Snowe  (R-Maine) 
would  similarly  create  a 
cybersecurity  office  in  the 


net  Infrastructure. 

In  a  video  blog  posted  last 
week,  Reding  accused  EU 
member  states  of  being  “negli¬ 
gent”  for  failing  to  adequately 
prepare  for  the  sort  of  attacks 
seen  in  Estonia.  Lithuania  and 
Georgia  in  recent  years  (see 
story,  page  33). 

Reding  estimated  that  there 


next  10  years.  “A  one-month- 
long  Internet  interruption  in 
Europe  would  mean  economic 
losses  of  at  least  €150  billion 
[S199  billion  U.S.].-  she  said. 


Europe  Awards 
OS  Research  Grant 


AMSTERDAM -The European 
Research  Council  has  awarded 
a  €2.5  million  (S3.3  million 
U.S.)  grant  to  Vrije  University 
to  continue  its  work  on  Minis, 
a  Unix-type  operating  system 


The  grant  will  fund  three 

mers  for  five  years,  said  An¬ 
drew  Tanenbaum,  a  computer 
science  professor  at  the  Am¬ 
sterdam  school. 

The  latest  grant  will  fund  / 


research  into  making  the  oper¬ 
ating  system  capable  of  fixing 
itself  when  a  bug  is  detected. 
Tanenbaum  said. 


nounced  plans  to  lay  off  450 
employees  to  further  cut  costs. 
The  Espoo.  Finland-based  tele- 


Your  old  notebook  can  still  be  put  to  use. 
A  new  one  from  CDW  can  be  put  to  work. 


Lenovo  ThinkPad1*  SL500 


Lenovo  ThinkPad®  R400 


Lenovo  ThinkPad®  T500 


•  Intel1  Centrino1  Processor  Technology 

-  Intel*  Core  u2  Duo  Processor  T5870  (2GHz) 

-  Intel*  Wireless  WiR  Link  5100AGN 

•  Memory:  2GB 
•160GB  hard  drive 
•DVD±RW  drive 

•  15.4"  WXGA  display 

•  Windows1  XP  Professional  downgrade  installed 


•  Intel  '  Centrino  2  Processor  Technology 

-  Intel®  Core  “2  Duo  Processor  P8400  (2.26GHz) 

-  Inter  Wireless  WiR  Link  5100AGN 


•  DVD±RW  dnve 


•  Intel1  Centrino1  2  Processor  Technology 

-  Intel'  Core  “2  Duo  Processor  P8400  (2.26GHz) 

-  Intel*  Wireless  WiR  Link  5100AGN 

•160GB  hard  drive 

•  DVD±RW  drive 

•  Windows  XP  Professional  downgrade  installed 


s778" 


5998" 


s1148" 


We're  there  with  the  technology  solutions  you  need. 

Sure,  outdated  technology  can  serve  your  needs.  But  unfortunately,  not  your  work  needs.  When  you 
upgrade  to  new  technology  from  CDW,  you'll  be  more  productive  than  ever.  If  you  need  to  go  mobile, 
you  can  with  countless  wireless  options.  Need  to  upgrade  to  a  new  operating  system?  No  problem.  Of 
so  offer  a  personal  account  m, 


we’ll  m, 


ire  you  get  what  you  need,  when  you  need  it. 

CDW.com  |  800.399.4CDW 


The  Right  Technology.  Right  Away. 


■  NEWS  ANALYSIS 


I  immediately  review  call  I  “I  think  we  are  well  pre¬ 
lists  and  decision-making  pared  — I  think  a  lot  of  sec- 


1  level  to  Phase  6  on  a  scale  to  have  the  right  permissions 
£  of  1  to  6,  indicating  a  "wide-  and  provisioning,”  he  said. 

5  spread  human  infection.”  In  addition  to  letting 


By  last  Wednesday,  the  employees  know  that  they 
Centers  for  Disease  Control  are  responding  to  this 


IT  Faces  Possible 
Pandemic  Amid 
Budget  Cutbacks 

Analysts  suggest  that 
managers  update  IT  call 
lists  and  telecommuting 
plans.  By  Patrick  Thibodeau 

MANYlTexecu-  i  budget  cutbacks  in  a  num- 
tives  could  be  ber  of  companies. 


cases  of  swine  flu  in  the  U.S.,  masks  available  for  them, 
including  50  in  New  York,  DeLottosaid. 

26  in  Texas,  14  in  California  After  the  WHO  raised 

and  10  in  South  Carolina.  In  the  threat  level  last  week, 

a  statement  on  its  Web  site,  Gartner  analyst  Ken  McGee 
the  CDC  added  that  “more  issued  an  advisory  calling  on 
hospitalizations  and  more  companies  to  begin  preparing 
deaths  are  expected  in  the  workers  for  widespread  tele¬ 
coming  days  and  weeks.”  commuting  and  videoconfer- 
At  the  same  time,  the  WHO  encing,  and  setting  up  options 

reported  8  deaths  among  257  for  dealing  with  network  out- 
cases  of  swine  flu  worldwide,  ages,  among  other  things. 

In  a  Computerworld  Meanwhile,  several  Japan- 

blog  post  early  last  week,  based  electronics  companies 
Scott  McPherson,  CIO  of  had  halted  business  trips  to 
the  Florid?  House  of  Rep-  Mexico  by  early  last  week, 
resentatives,  advised  data  Panasonic  Corp.  and  Sharp 

center  executives  to  begin  Corp.,  both  based  in  Osaka, 
"reviewing  your  pandemic  halted  all  business  trips  to 
plans  now,  and  familiarizing  Mexico  City,  while  Tokyo- 


Microsoft 


# 


M 


Announcing  a  shocking  development 
in  data  management. 


SQLServerEnergy.com 


SQLServer 


Wireless 
IT  in  Health 
Care:  The 
Time  Is  Now? 

Wireless  medical  apps  are 
ready  for  broad  usage  and 
could  transform  patient  care. 
That’s  what  proponents  say, 
at  least.  By  Matt  Hamblen 


ther  on  the  market  or  being 
used  in  trials,  claiming  that 
they  could  help  improve 
patient  monitoring  and  re¬ 
duce  errors  in  administer¬ 
ing  medications. 

“At  the  same  time  the 
economy  has  hit  bottom, 

citing  innovation  in  wire- 
;  less  medicine,”  said  Topol, 
who  is  chief  academic 
I  officer  at  Scripps  Health 
and  director  of  the  Scripps 
;  Translational  Science  In¬ 
stitute,  a  research  unit. 

In  an  interview,  Topol 
cited  three  reasons  for 
the  increasing  interest 
;  in  wireless  technologies: 

;  bandwidth  improvements 
that  enable  the  transmis¬ 
sion  of  images  and  other 


by  Corventis  Inc.  that  he 
had  placed  on  his  chest. 
The  patch  transmitted  a 
variety  of  data  to  a  moni¬ 
tor  that  displayed  the  in¬ 
formation  as  a  doctor  or 
medical  technician  would 
see  it,  including  a  diagram 
of  Topol’s  body  position 
to  show  whether  he  was 
standing  or  lying  down. 

Corventis  announced 
the  availability  of  its 
“wearable  sensors”  on 
April  21.  Other  wireless 
cardiac-monitoring  ven¬ 
dors  include  LifeWatch 
Corp.  and  CardioNet  Inc., 
where  Topol  once  served 
on  the  medical  advisory 
board.  (He  is  currently  a 
member  of  the  board  of  di¬ 
rectors  at  Triage  Wireless 


Rob  Faludi 


The  networking  visionary  talks  about 
introducing  your  toaster  to  your 
smoke  alarm,  bonding  with  your 
plants  and  bringing  the  outside  in. 


been  doing  some  cutting-edge  work. 

In  team  meetings,  we’d  get  embroiled 
in  lengthy  debates  about  how  [a  Web] 
interaction  should  proceed.  When  we 
finally  put  our  creations  in  front  of  real 
users,  they’d  frequently  breeze  through 
the  parts  that  we  thought  would  be 
hard  and  then  screech  to  a  halt,  com¬ 
pletely  bewildered  by  some  choice  that 
everyone  on  the  development  team  had 
assumed  would  be  obvious.  I  wanted  to 
know  what  was  going  on.  The  answers 
would  span  science  and  design,  so  I 
returned  to  school  for  two  master’s  de¬ 
grees,  one  in  cognitive  psychology  and 
one  from  NYU’s  Interactive  Telecom- 
ts  Program.  When  it  was  all 
Continued  on  page  20 


COMPUTERWORLD 


What  that  green 
button  does? 


Questions  about 
mobile  email? 

Tracking 

shipments? 


Dedicated  Small  Business  Specialists  are  in  every 
Verizon  Wireless  store,  all  at  no  extra  charge. 


■  THE  GRILL  ROB  FALUDI 


# 


Do  your  studies  in  psychology  and  neural 


MWhen  that  phone 
call  or  text  mes¬ 
sage  comes  in 
from  your  plant,  we’re  hop¬ 
ing  to  precipitate  a  moment 
that  you  and  your  leafy 
friend  can  spend  together. 


of  human-object  communication?  Oh,  it’s 
all  about  the  people  for  me!  I  deeply  re¬ 
spect  engineering  and  computer  science 
because  they  are  fundamentally  human 
endeavors.  What  I  aim  to  do  is  take  the 
magic  they  produce  to  the  next  level  and 
find  ways  that  new  technologies  can  en¬ 
gage  us  and  enrich  our  interactions. 

Can  you  briefly  touch  on  the  concept  of 
mesh  networking?  Broadly  speaking,  a 
mesh  network  is  a  collection  of  devices 
that  are  all  connected  to  each  other 
both  directly  and  indirectly.  Any  one 
device  can  act  as  both  a  node  and  a 
router  for  other  nodes.  Together,  the  de¬ 
vices  create  a  robust  communications 
structure,  one  that  adapts  fluidly  when 
a  new  device  enters  the  network  or  an¬ 
other  one  is  removed  or  fails.  There  are 
over  a  hundred  ad  hoc  routing  protocols 
for  these  networks,  but  the  basic  idea 
is  a  kind  of  egalitarian  structure.  It’s 
terrific  for  making  robust  and  highly 


sumption  and  how  their  conservation 
actions  are  affected  by  being  part  of  a 
community  network.  This  is  a  great  ex¬ 
ample  of  how  objects  and  networks  can 
have  a  real  impact  on  not  just  individu¬ 
als’  lives,  but  on  the  way  we  impact  the 
world  as  a  whole.  If  we  can  get  enough 
people  monitoring  their  power  con¬ 
sumption  and  leverage  that  effectively 
into  behavior  change,  then  perhaps  we 
can  keep  the  oceans  where  they  are.  I 
like  sushi,  but  I  don't  want  to  live  with  it. 


munication  system.  How  does  it  work? 

The  Botanicalls  project  aims  to  forge 
a  connection  between  people  and 
nature.  Botanicalls  is  about  helping 
people  notice  the  other  living  things 
around  them.  When  that  phone  call 
or  text  message  comes  in  from  your 
plant,  we’re  hoping  to  precipitate  a  mo¬ 
ment  that  you  and  your  leafy  friend  can 
spend  together.  So  the  technology  of 
sensing  soil  moisture,  connecting  to  an 
online  message  generator  and  trigger¬ 
ing  notifications  is  really  about  momen¬ 
tarily  fracturing  the  grip  of  gadgets  and 


,'e're  creating  a  way  sures  are  good  for  the  soul. 

3  see  exactly  how  —  Interview  by  Sara  Forrest ,  a  freelance 

using  in  real  time.  photographer  and  writer  in  New  York 
I  look  at  how  and  to  (saraforrestphoto@gmail.com) 


M  Dmmowfitotn]®  FtMDTn] 


Thursday,  May  7,  2009 

Live  Interactive  Online  Conference 

http://virtualconferences.computerworld.com/itinnovations 

Register  today,  it’s  free. 


Learn  to  Thrive  in  Turbulent  Times 


Get  real-world  answers  and  customer- 
proven  solutions  you  can  implement 
immediately  from  your  industry  peers, 
independent  analysts,  and  technology 
experts  at  this  in-depth,  interactive 
conference.  Exchange  ideas  and  gain 
valuable  insights  in  real  time  from 
panelists  as  well  as  your  fellow 
attendees.  See  the  latest  innovations 
at  virtual  product  booths  from  the 
convenience  of  your  desktop  and  learn 
how  they  can  simplify  your  IT  workload 
and  reduce  your  operating  expenses. 


8:00am  Eastern  Daylight  Time  (New  York) 
12:00pm  Greenwich  Mean  Time 
1:00pm  British  Summer  Time  (London) 
5:30pm  Indian  Standard  Time 

'All  sessions  available  on-demand  following  initial  broadcast 


Follow  Cisco  for  more  updates  on  Facebook  and  Twitter. 

facebook 


•  I  |  I  .  I  |  I  . 
CISCO 


COMPUTERWORLO  InfoWorld 


INTERNET  WARFARE: 

Software:  i  he  htcrnal 


MWe  are  at  risk.  Computers 
are  vulnerable  to  the  effects 
of  poor  design,  insufficient 
quality  control,  accident  and.  perhaps 
more  alarmingly,  to  deliberate  attack. 

-  Computers  at  Risk,  Computer  Science  and 


Eighteen  years  later,  we  are  still  at 
risk.  Our  computers  are  still  vulner¬ 
able.  They  still  suffer  attacks  enabled 
by  poor  design  and  insufficient  quality 
control.  We  spend  huge  sums  on  IT 


In  January,  Heartland  Payment  Sys¬ 
tems  Inc.  reported  what  may  be  the 

The  company  said  that  a  "global 
cyberfraud  operation”  stole  informa¬ 
tion  from  more  than  100  million  credit 


■  SPECIAL  REPORT 


PORTRAIT  OFA 
SECURITY-SAVVY  USER 


The  Depository  Trust  &  Clearing  Corp. 
lakes  information  security  seriously. 

It  had  better.  The  organization,  which 
provides  clearing,  settlement  and  infor¬ 
mation  services  for  financial  institutions 
and  government,  settled  S1.88  quadril¬ 
lion  (thousand-trillion)  in  securities 
transactions  last  year. 

The  DTCC  claims  to  be  the  only  fman- 
cial  services  firm  rated  at  Level  3  on  the 
Software  Engineering  Institute's  Capa¬ 
bility  Maturity  Model  Integration  scale. 

It  is  also  one  of  the  co-developers  of  the 
just-announced  industry-standard  Build¬ 
ing  Security  in  Maturity  Model. 

"We  have  a  very  disciplined,  process- 
oriented  approach."  says  Jim  Routh,  the 
DTCC’s  chief  information  security  officer. 

Here's  what  the  DTCC  does: 

■  It  subjects  its  internally  developed 
software  to  the  rigors  of  static  and  dy¬ 
namic  code  analysis. 

■  It  has  its  systems  undergo  penetra¬ 
tion  testing. 

■  It  subscribes  to  a  third-party  service 
that  scans  its  Web  sites  looking  for  vul¬ 
nerabilities. 

■  It  assigns  risk  levels  -  high,  medium 


or  low  -  to  any  vulnerabilities  foi 

■  It  remediates  vulnerabilities  and 
tracks  remediation  at  three  levels  in  the 
organization. 

As  for  software  vendors,  the  DTCC  “puts 
them  through  the  paces,"  Routh  says. 

For  software  deemed  to  be  high  risk, 
the  vendors  must  show  evidence  of  the 
same  kinds  of  controls  that  the  DTCC 
uses  internally.  "They  have  to  show  us 
the  artifacts  of  their  software  develop¬ 
ment  life  cycle  as  it  relates  to  security  - 
static  code  analysis,  dynamic  analysis, 
penetration  testing,  and  how  they  track 
vulnerabilities  and  manage  their  reme¬ 
diation,"  he  says,  adding  that  the  DTCC 
is  one  of  the  few  firms  that  does  that. 

Vendors  that  can't  produce  these  arti¬ 
facts  get  another  chance,  however.  They 
must  submit  the  software  in  question, 
in  binary  form,  to  an  external  party  that 
scans  it  for  high-risk  vulnerabilities  and 
assigns  a  grade  to  it. 

"We  pay  for  some  of  that,"  Routh 
says.  "We  get  the  high-level  results,  the 
vendor  gets  the  detailed  results,  and  we 
negotiate  remediation  priorities." 

-  GARY  ANTHES 


ties  because  someone  uses  one  in  an 
attack,  and  then  they  fix  it.  They  are 
walking  around  finding  holes  in  the 
dike  and  patching  them.  This  is  play¬ 
ing  catch-up  and  letting  the  attacker 
define  the  problem.  It's  an  inherently 
losing  mind-set." 

But,  Schneider  suggests,  “what  if  we 
turned  the  tables  in  a  way  that  allowed 
us  to  stay  ahead  of  attacks?" 

Many  Internet-borne  attacks  come 
via  spoofing;  you  get  a  message  pur¬ 
porting  to  be  from,  say,  Citibank,  but 


>  find  out  who  sent  it  and  arrest  them." 

;  Schneider  says  this  would  change 

j  the  mind-set  from  one  of  prevention 
!  to  one  of  accountability.  People  would 


could  be  caught  and  held  accountable. 

“The  problem  with  the  current  pre¬ 
vention  mentality  is  you  have  to  pro¬ 
tect  everything,"  Schneider  says,  “but 
the  attacker  only  has  to  find  one  chink 
in  the  armor." 

Although  not  trivial,  implementing 
such  accountability  on  the  Internet 
is  technically  feasible.  But  there  are 
two  big  barriers  to  making  it  happen, 
Schneider  acknowledges. 

One  is  an  expectation  of  anonym¬ 
ity  that  many  users  would  not  lightly 


tacks  —  are  propagated  throughout  net¬ 
works  and  systems.  “All  three  of  these 
changes  contribute  value  and  agility  to 
the  enterprise,  but  they  also  reshape 
the  security  picture,"  Scherlis  says. 

A  few  years  ago,  an  organization 
would  have  put  an  “enterprise  firewall” 
between  its  internal  systems  and  ex¬ 
ternal  networks,  he  explains.  If  it  sub¬ 
sequently  detected  bad  actors  or  bad 
software  inside  the  company,  it  would 
have  then  turned  to  departmental  fire¬ 
walls  and,  soon  after  that,  to  firewalls 
on  individual  computers.  Then,  if 

would  have  started  putting  shields 
around  individual  applications. 

Now,  Scherlis  says,  even  that  is 
not  enough,  as  systems  become  more 
and  more  fragmented  yet  intercon- 

nected.  “Modern  applications  contain 
frameworks  and  libraries  from  diverse 
sources,  and  they  stretch  across  mul¬ 
tiple  computers,"  he  says.  “So  now  you 
need  to  consider  perimeters  inside 
the  application,  at  the  application  pro¬ 
gramming  interfaces." 

Even  the  simplest  applications  may 
contain  thousands  of  individual  execut¬ 
able  components  from  multiple  sourc¬ 
es.  "That  makes  the  software  assurance 
problem  really  hard,”  Scherlis  says. 

TURN  THE  TABLES 

Fred  Schneider,  a  software  security 
and  reliability  expert  at  Cornell  Uni¬ 
versity,  goes  even  further,  saying  that 
the  notion  of  building  defensive  perim¬ 
eters  —  at  any  level  —  is  outdated. 

“Today,  people  discover  vulnerabili- 

attackers  outside  the  U.S.  difficult  to 
bring  to  account.  “We  need  to  strike 
a  balance  between  accountability  and 
anonymity,"  Schneider  says,  “and  we 
Continued  on  page  26 

££  Be  absolutely 
■■rigorous  about 
configuration  man¬ 
agement  and  configu¬ 
ration  intogrity,  botti 
during  devwoprnent 
and  ceaselessly  dur¬ 
ing  operations. 

WILLIAM  SCHERLIS.  PROFESSOR 

OF  COMPUTER  SCIENCE.  CARNEGIE 

MELLON  UNIVERSITY 

24  COMPUTERWORLD  MAY  4, 2009 

■  SPECIAL  REPORT 


PORTRATTOFA 
SECURITY-SAVVY  USER 


The  Depository  Trust  &  Clearing  Corp. 
takes  information  security  seriously. 

It  had  better.  The  organization,  which 
provides  clearing,  settlement  and  infor¬ 
mation  services  for  financial  institutions 
and  government,  settled  S1.88  quadril¬ 
lion  (thousand-trillion)  in  securities 


The  DTCC  claims  to  be  the  only  fman- 


Softwa 


5  Engine 


el  3  on  th 
istitute's  Capa¬ 
city  Model  Integration  scale. 

It  is  also  one  of  the  co-developers  of  the 
just-announced  industry-standard  Build¬ 
ing  Security  in  Maturity  Model. 

"We  have  a  very  disciplined,  process- 
oriented  approach.”  says  Jim  Routh,  the 
DTCC's  chief  information  security  officer. 

Here's  what  the  DTCC  does: 


■  It  subjects  its  internally  developed 
software  to  the  rigors  of  static  and  dy¬ 
namic  code  analysis. 

■  It  has  its  systems  undergo  penetra¬ 
tion  testing. 


■  It  subscribes  to  a  third-party  service 
that  scans  its  Web  sites  looking  for  vul- 


■  It  assigns  risk  levels  -  high,  medium 


or  low  -  to  any  vulnerabilities  found. 

■  It  remediates  vulnerabilities  and 
tracks  remediation  at  three  levels  in  the 
organization. 

As  for  software  vendors,  the  DTCC  "puts 
them  through  the  paces."  Routh  says. 

For  software  deemed  to  be  high  risk, 
the  vendors  must  show  evidence  of  the 
same  kinds  of  controls  that  the  DTCC 
uses  internally.  “They  have  to  show  us 
the  artifacts  of  their  software  develop¬ 
ment  life  cycle  as  it  relates  to  security  - 
static  code  analysis,  dynamic  analysis, 
penetration  testing,  and  how  they  track 
vulnerabilities  and  manage  their  reme¬ 
diation."  he  says,  adding  that  the  DTCC 
is  one  of  the  few  firms  that  does  that. 

Vendors  that  can't  produce  these  arti¬ 
facts  get  another  chance,  however.  They 
must  submit  the  software  in  question, 
in  binary  form,  to  an  external  party  that 
scans  it  for  high-risk  vulnerabilities  and 
assigns  a  grade  to  it. 

"We  pay  for  some  of  that,"  Routh 
says.  “We  get  the  high-level  results,  the 
vendor  gets  the  detailed  results,  and  we 
negotiate  remediation  priorities.” 

-  GARY  ANTHES 


ties  because  someone  uses  one  in  an 
attack,  and  then  they  fix  it.  They  are 
walking  around  finding  holes  in  the 
dike  and  patching  them.  This  is  play¬ 
ing  catch-up  and  letting  the  attacker 
define  the  problem.  It’s  an  inherently 
losing  mind-set.” 


Although  not  trivial,  implementing 
such  accountability  on  the  Internet 
is  technically  feasible.  But  there  are 
two  big  barriers  to  making  it  happen. 
Schneider  acknowledges. 

One  is  an  expectation  of  anonym¬ 
ity  that  many  users  would  not  lightly 


Up  to  85%  of  computing 
capacity  sits  idle  in 
distributed  environments. 

A  smarter  planet  needs 
smarter  infrastructure. 

Let's  build  a  smarter  planet. 
ibm.com/dynamic 


y 


U  SPECIAL  REPORT 


TRUST 

Last  year,  Microsoft  published  a  paper  Wider  deployments  of  these  media- 


TEACH  YOUR 
CHLDREN  WELL 


In  January,  The  Mitre  Corp.  and  the 
SANS  Institute  published  a  list  of 
coding  mistakes  that  make  software 
vulnerable  to  attack;  it  was  called  the 
“Top  25  Most  Dangerous  Program¬ 
ming  Errors.” 

Alan  Paller,  research  director  at 
SANS,  says  universities  do  a  poor 
job  of  teaching  students  how  to  avoid 
those  mistakes.  “There  is  nothing 
nearly  as  important  for  improved 
security  of  software  than  getting 
[universities]  to  take  responsibility 
for  the  lack  of  secure  coding  skills  of 
their  graduates,"  he  says. 

But  Fred  Schneider,  a  computer  sci¬ 
ence  professor  at  Cornell  University, 
disagrees.  He  teaches  a  computer  se¬ 
curity  class  that  covers  sound  coding 
practices,  but  he  says  a  university's 
role  is  “teaching  ideas  and  principles 
and  how  to  think  about  things.” 

There  is  nothing  near¬ 
ly  as  important  for 
improved  security  of  soft¬ 
ware  than  getting  [universi¬ 
ties]  to  take  responsibility 
for  the  lack  of  secure  coding 
skills  of  their  graduates. 

ALAN  PALLER.  RESEARCH 
DIRECTOR.  SANS  INSTITUTE 

Schneider  says  software  vendors 
often  send  new  hires  to  training 
classes  to  learn  secure  coding  prac¬ 
tices.  and  that's  as  it  should  be. 

But  Schneider  and  Paller  agree  on 
at  least  one  thing:  While  quite  a  lot 
is  known  now  about  secure  coding 
practices,  there  is  little  agreement 
on  what  makes  for  a  secure  system 
design.  “Nobody  understands  what  it 
is  about  an  architecture  that  contrib¬ 
utes  to  a  system  being  secure,"  says 
Schneider.  “H's  hard  to  recognize  a 
bad  design  if  you  don't  know  how  to 
tell  a  good  design  when  you  see  it.” 

Says  Paller.  "There  are  ways  to 
write  secure  code,  but  on  secure  de¬ 
sign.  there  are  only  opinions.  The  guys 
with  the  opinions  all  think  they  are  the 
only  ones  who  know  how  to  do  it,  and 
they  don't  speak  to  each  other.” 

-GARYANTHES 


END-TO-END  TRUST 


Last  year.  Microsoft  published  a  paper 
outlining  a  concept  that  it  dubbed  “end- 
to-end  trust."  whereby  strong  authenti¬ 
cation  could  protect  every  boundary  and 
layer  -  hardware,  software,  people  and 
data  -  in  computing.  It’s  an  ambitious 
idea,  but  many  of  the  pieces  already  ex¬ 
ist.  says  Steve  Ljpner.  Microsoft's  senior 
director  of  security  engineering  strategy. 

For  example.  Upner  has  a  Trusted 
Platform  Module  installed  on  his  laptop 
PC.  The  TPM,  from  Trusted  Computing 
Group,  a  nonprofit  industry  standards 
group,  is  a  tamperproof  microcontroller 
that  can  store  a  user's  keys,  passwords 
and  digital  certificates. 

“It  can  validate  that  the  software 
loaded  at  boot  time  is  the  one  I  think  it 
is,"  Lipner  says,  “and  it  releases  a  cryp¬ 
tographic  key  that  will  decrypt  my  hard 
drive  before  I  start  to  use  my  machine." 

The  device  uses  BitLocker  software 
from  Microsoft's  Windows  Vista  and 
Windows  2008. 

"That's  a  start."  Lipner  says.  “But 
when  we  talk  about  the  full  end-to-end 
trust  vision,  we  are  also  talking  about 
being  able  to  authenticate  a  lot  more  of 
the  software  on  the  machine,  maybe  all 
of  it.  We  are  researching  the  deeper  inte¬ 
gration  of  the  TPM  mechanisms." 


Wider  deployments  of  these  mecha¬ 
nisms  could  show  up  in  the  TPM  device 
itself,  the  operating  system  or  third- 
party  software,  or  in  the  form  of  new 
Internet  standards,  Lipner  says. 

However,  in  the  short  term,  users  must 
do  the  best  they  can  with  existing  tech¬ 
nology,  says  Alan  Palter,  research  direc¬ 
tor  at  the  SANS  Institute,  an  information 
security  education  hrm.  He  says  cyber¬ 
threats  that  exploit  software  are  of  three 
types:  those  that  exploit  vulnerabilities 
left  by  faulty  coding,  those  that  exploit 
logic  errors  in  faulty  designs,  and  social- 
engineering  exploits  that  trick  users  into 
doing  things  they  shouldn't  do,  such  as 
revealing  a  password. 

“The  most  powerful  of  the  new  attack 
techniques  are  in  social  engineering, 
where  they  are  doing  much  deeper 
analysis  of  the  people  they  are  going  to 
attack,"  Paller  says.  But  part  of  that  is 
pure  technology,  he  says,  “because  once 
you  let  the  guy  in.  he  still  has  to  break 
some  things." 

;  That  means  defensive  technology  is 
;  needed  inside  the  system  so  if,  for  exam- 
I  pie,  a  user  clicks  on  some  malware,  the 
I  attacker  can’t  then  insert  a  keystroke- 
'  logger  or  other  malicious  software. 

-GARYANTHES 


There  is  nothing  near¬ 
ly  as  important  for 
improved  security  of  soft¬ 
ware  than  getting  [universi¬ 
ties]  to  take  responsibility 
for  the  lack  of  secure  coding 
skills  of  their  graduates. 


COMPUTERWORLD 


Managers  spend  up  to  two  hours 
every  day  searching  for  information, 
over  half  of  which  has  no  value  to  them. 
A  smarter  planet  needs  smarter  IT. 

Let’s  build  a  smarter  planet. 
ibm.com/intelligent 


Experts  in  computer  security  generally 
agree  that  certain  fundamental  steps 
by  industry,  governments  and  society 
could  go  a  long  way  toward  solving  the 

Those  steps  include  adopting  new 
views  on  the  trade-offs  between 
anonymity  and  accountability,  building 
trustworthy  systems  from  top  to  bottom 
based  on  strong  authentication,  employ¬ 
ing  only  the  latest  and  best  techniques 
and  tools  in  software  development,  and 
documenting  and  certifying  designs  and 
code. 

The  problem  is  that  these  things  re¬ 
quire  strong  commitments  by  multiple 
parties,  and  they  require  expenditures 


says  federal  funding  of  computer  secu¬ 
rity  research  has  been  inadequate.  He 
advises  the  federal  government  on  such 
matters  but,  he  says, 

trade-offs  given 
fixed  resources  -  to  decide,  for  exam¬ 
ple,  whether  we  should  send  troops  into 
Afghanistan,  help  the  poor  or  mi 
vestments  that  promote  cybersecurity.” 

Schneider  says  that  most  people 
don't  have  an  accurate  understanding 
of  the  costs  and  risks  of  our  growing 
dependence  on  untrustworthy  systems 
because  they  don't  know  the  extent  to 
which  systems  control  things,  nor  do 
they  understand  the  magnitude  of  the 
threat.  "Society  doesn't  really  have  suf¬ 
ficient  information  to  make  good  deci¬ 
sions  about  the  trade-offs."  he  says. 

-  GARY  Af 


Continued  from  page  26 
tance  of  this  because  it  sounds  dreary 
and  dull  —  like  taking  inventory.  But 
few  organizations  or  users  even  know 
what's  running  on  their  computers,”  he 
says.  “Stuff  just  turns  up.  and  you  don’t 
even  know  what  its  heritage  is.” 

Scherlis  says  that  a  typical  desktop 
can  have  5,000  or  more  executable 
files,  many  of  them  of  uncertain  origin. 
In  addition,  there  are  hidden  files  and 
dynamic  modifications  to  files.  “That’s 
pretty  scary,"  he  concludes. 

“Attend  to  the  provenance”  of  your 
software,  Scherlis  says,  and  “be  ab¬ 
solutely  rigorous  about  configuration 
management  and  configuration  in¬ 
tegrity.  both  during  development  and 
ceaselessly  during  operations.” 

In  the  meantime,  he  says,  an  emerg¬ 
ing  idea  is  for  builders  of  software  to 
produce  evidence  that  their  code  meets 
certain  criteria.  Developers  can  help 
buyers  and  users  evaluate  software  by 
providing  test  cases,  models,  linked 
documentation  such  as  lavadoc,  devel¬ 
opment  and  configuration  logs,  bug 
and  problem  logs,  and  analysis  results, 
Scherlis  says. 

But  even  the  best  protective  mea¬ 


sures  will  never  completely  do  the 
job,  says  Robert  Lucky,  a  research  vice 
president  at  Telcordia  Technologies 
Inc.  in  Piscataway,  N.J.  Lucky  chaired  a 
U.S.  Department  of  Defense  task  force 
in  2006  that  looked  into  the  threat 
from  malicious  code  secretly  inserted 
in  U.S.  software  developed  abroad.  His 
report  detailed  a  number  of  steps  that 
could  be  taken  to  help  protect  against 
such  sabotage,  but  he  told  Computer- 
world  recently  that  he  considers  the 
problem  of  cybercrime  “intractable." 

“The  bottom  line  for  me  is  always 
risk  assessment,"  Lucky  says.  “You 
can’t  spend  an  infinite  amount  of 
money.  You  have  to  make  intelligent 
trade-offs  and  accept  risk.” 

The  best  approach,  Lucky  suggests, 
is  to  identify  those  system  components 
that  are  critical  and  sensitive,  and 
“spend  the  big  bucks”  only  on  those. 
But  he  acknowledges  that  it’s  not  easy 
to  list  all  the  critical  components  in  a 
large,  complex  system. 

No  matter  what  users  and  vendors 
do,  Cornell’s  Schneider  warns  against 
complacency.  Schneider,  who  chairs 
Microsoft’s  external  advisory  board  on 
security,  says,  “It’s  clear  [Microsoft’s] 


SKIRMISHES 

According  to  the  Computer  Security 
Institute's  2008  Computer  Crime  and  Se¬ 
curity  Survey,  the  following  percentages  of 
respondents  reported  experiencing  these 
types  of  incidents  in  the  previous  year. 


By  2011  there  will  be  2  billion  people 
and  1  trillion  connected  objects  on  the  Web. 
A  smarter  planet  needs  smarter  IT. 

Let's  build  a  smarter  planet. 

ibm.com/connected 


SPECIAL  REPORT 


GROUND  ZERO 

in  Internet  Warfare 


The  power  grid  is  an  obvious  target  for 
terrorists,  but  experts  disagree  about 
how  to  secure  it.  By  Julia  King 


COMPUTERWORLD 


The  power  grid  is  an  obvious  target  for 
terrorists,  but  experts  disagree  about 
how  to  secure  it. 


.m 


W 


cal  national  infra¬ 
structure.  the  highly 
distributed  and 
ultra-interconnected 
U.S.  power  grid  is. 


cyberattack.  On  this  one  point,  many 
cybersecurity  experts  seem  to  agree. 

Yet  just  how  likely  a  terrorist  target 
is  the  grid?  And  what's  the  best  way  to 


WMMMWA B 


|  were  a  lot  simpler.  The  industrial  con- 
!  trols  that  managed  the  generation  and 
'  flow  of  power  were  protected  from 
]  intrusion  by  their  closed-loop  architec- 
|  ture.  Those  control  systems  operated 
{  in  isolation  from  everything  else. 


j  six  months  to  replace  transformers  or 
!  generators,  "and  we  have  no  [replace- 
!  ment]  manufacturing  capabilities  in 
;  the  U.S.,”  he  says.  “Germany,  China 
j  and  Japan  are  our  sources.” 

i  CASE  IN  POINT 

!  An  incident  illustrating  the  types  of 
|  vulnerabilities  attackers  could  exploit 
;  took  place  last  March  in  Baxley,  Ga. 

1  The  Hatch  Nuclear  Power  Plant  was 
!  forced  to  shut  down  for  two  days  fol- 


It’s  estimated  that  the  world’s  datacenters 
will  produce  more  carbon  in  a  year  than  the 
total  electricity  usage  of  36  million  homes. 

A  greener  planet  needs  smarter  IT. 


ibm.com/efficient 


■  SPECIAL  REPORT 


Continued  from  page  30  <  several  of  which  focus  on  cybersecurity. 

"The  average  attacker  is  trying  to  j  "Standards  lay  the  foundation  [for 
gain  financially  from  illicit  activity,”  J  cybersecurity].”  says  Assante.  "What 
says  Assante.  That  explains  why  at-  !  makes  the  power  system  unique  is  that 
tacks  on  financial  institutions  and  !  it  is  so  interconnected.  From  a  secu- 


NOT  JUST 
HYPOTHETICAL 


Last  month,  when  The  Wall  Street 
Journal  reported  that  Chinese  and 
Russian  adversaries  are  regularly 
hacking  the  U.S.  power  grid  and 
seeding  it  with  electronic  time 
bombs,  John  Bumgarner  was  not  the 
least  bit  surprised. 

"It's  a  known  fact  that  our  critical 
infrastructures  are  being  probed 
and  penetrated  by  adversaries  on  a 
regular  basis,"  he  says.  "Every  day. 
a  critical  infrastructure  in  the  U.S.  is 
probed  by  somebody." 

What  is  new.  he  says,  is  the  growing 
number  of  officials  in  government, 
the  utilities  industry  and  elsewhere 
who  are  willing  to  acknowledge  the 
vulnerabilities.  “It's  not  just  the  CIA 
anymore."  says  Bumgarner,  director 
of  research  at  the  U.S.  Cyber  Conse¬ 
quences  Unit,  an  independent  non¬ 
profit  security  research  organization. 

The  Journal  quoted  unnamed  intelli¬ 
gence  officials  as  saying  that  foreign 
operatives  last  year  had  repeatedly 
gained  access  to  several  U.S.  critical 
infrastructure  systems,  including 
the  power  grid.  “The  Chinese  have 
attempted  to  map  our  infrastruc¬ 
ture,"  according  to  the  senior  official 
quoted. 

Commenting  on  the  report  to  ABC 
Television,  former  presidential  cyber¬ 
security  expert  Richard  Clarke  said 

that  foreign  governments  have  been 
setting  up  what  he  calls  “offensive 
cyberwar  units."  He  also  says  the 
U.S.  power  grid  is  "pretty  easy  to 
penetrate." 

One  way  to  reduce  or  prevent  at- 

grid  control  system  from  the  Inter¬ 
net."  Clarke  suggests. 

However.  Bumgarner  notes  that 
such  a  remedy  is  unlikely  to  be 

disconnecting  all  the  Internet  connec¬ 
tion  points  supporting  the  power  grid 
would  be  almost  impossible,  especial¬ 
ly  during  a  period  of  national  crisis. 

-  JULIA  KING 


Lesson  learned:  DDoS  attacks,  as  well  as 
the  response  to  them,  can  cripple  a  country. 


SPECIAL  REPORT 


INTERRUPTUS 


in  San  Francisco  took  down  a  data  cen¬ 
ter  hosting  a  number  of  popular  sites, 
including  Craigslist,  for  several  hours. 

Major  service-provider  outages:  Sim¬ 
ple  things  can  have  unexpected  conse- 


“Error  404:  Page  Not  Found.”  Possibly, 
your  browser  times  out  while  waiting 
for  the  server  to  respond.  We  tend  to 
summarize  all  these  events  with  a  sim¬ 
ple  phrase  like  “The  Internet  is  down.” 

In  almost  all  cases,  that  global  in¬ 
terconnection  of  networks  that  gives 
us  the  World  Wide  Web,  e-mail  and 
countless  other  online  services  is  still 
operating.  The  Internet  is  still  there; 
we  just  can’t  get  to  it.  But  why? 

The  root  cause  could  be  almost  any¬ 
where.  The  culprit  could  be  something 
inside  your  computer  or  attached  pe¬ 
ripheral  equipment,  or  a  service  inter¬ 
ruption  from  your  own  network  or  ISP. 
It  could  be  a  regional  or  wider-scale 
outage  caused  by  faulty  equipment, 
weather  problems  or  accidental  or  ma¬ 
licious  damage  to  cables,  or  a  disrup¬ 
tion  caused  by  malicious  software  such 
as  a  virus  or  a  Trojan  horse.  Or  it  could 
be  something  as  simple  as  the  need  for 

POSSIBLE  POINTS  OF  FAILURE 

Inside  your  local  system  and  close  by:  A 

hardware  component  or  connection 
failure  is  a  real  possibility.  If  the  hard- 


software  up  to  date  and  working^ 
Regional  upsets:  The  problem  could 
lie  with  your  office  network  or  ISP.  A 
quick  phone  call  to  the  help  desk  or 
your  ISP  will  let  you  know. 


WHATTODO? 

When  you  lose  Internet  service,  follow 
these  steps  before  you  call  for  help: 

■  Wait  a  few  minutes:  many  Internet  out¬ 
ages  resolve  themselves  in  short  order. 

■  If  you  get  a  timeout  message,  try  again 

■  Check  all  I/O  cables,  including  those 
attached  to  your  PC,  router,  network, 
and  cable  or  DSL  modem. 

■  If  you're  on  a  wireless  connection, 
try  plugging  in  with  a  cable. 

■  Unless  there's  a  good  reason  why  you 
cannot  or  should  not  do  so.  try  restart¬ 
ing  your  computer  and,  if  applicable,  your 
router  and/or  modem.  Restart,  don't  reset: 
Just  unplug  them,  wait  30  seconds,  then 


February  2008  when  a  data  center’s 
authentication  service  was  overloaded. 
Subsequent  outages  at  Amazon  led  to 
speculation  that  the  company  was  the 
target  of  a  denial-of-service  attack. 

A  software  failure  took  down  parts  of 
eBay  for  almost  a  day  in  1998.  After  sim¬ 
ilar  problems  in  1999, 2002  and  2003, 
the  company  created  an  outage  policy 
for  customers  and  reassured  investors 
that  it  had  resolved  reliability  issues. 

International  connections:  Despite 
the  wide  use  of  satellites  and  wireless 
communications,  global  communica¬ 
tions  still  depend  heavily  on  fiber-optic 
cables  that  connect  continents.  In 
December,  millions  of  Web  users  in 
the  Middle  East  lost  connectivity  when 
a  string  of  underwater  cables  in  the 
Mediterranean  Sea  was  damaged.  As 
much  as  70%  of  all  Internet  traffic  and 
telephone  communications  between 
Europe  and  Africa  was  affected,  and 
Internet  traffic  had  to  be  rerouted 
through  Asia  and  the  U.S.  Similar 
cable  damage  had  occurred  less  than 
a  year  before,  when  ships'  anchors 
had  torn  through  a  different  section  of 
those  same  cables.  ■ 


■  SECURITY  MANAGER’S  JOURNAL  J.F.  RICE 

In  the  Trenches,  as 
The  Threats  Evolve 

We’ve  gone  from  free-floating  malware  to 
targeted  attacks  to  organized  international 
crime.  What  will  be  next? 


Trouble 

Ticket 


ACTION  PLAN:  There's  no 
way  to  know  what  will  be 
thrown  at  you;  just  be  pre 
pared  for  anything. 


Since  then,  of  course, 
things  have  escalated  into 
international  phishing, 
pharming  and  those  ubiqui¬ 
tous  Nigerian  bank  scams. 
In  my  mind,  they  represent 
a  snowballing  of  the  inter- 


■  Random  mal¬ 
ware  just  floated 
on  the  electronic 
breeze,  sort  of  like 
-  well,  like  a  virus. 


manager.  “J.F.  Rice,"  whose 
name  and  employer  haw 
been  disguised  for  obvious 
reasons.  Contact  him  at 
jf.rice@engineer.com. 


■  OPINION 

Paul  Glen 

Five  Clues  a  Project 
Is  Headed  for  Trouble 


IN  THESE  DIFFICULT  TIMES,  lots  of  projects  are 
getting  canceled,  postponed  or  mothballed.  Although 
these  are  perfectly  normal  occurrences  in  IT,  they  seem 
more  frequent,  swift  and  stinging  now. 


■  In  political 
battles  between 
IT  and  business 
management, 
business  manage¬ 
ment  usually  wins. 


aul  Glen  is  the  founder  of 
ie  GeekLeaders.com  Web 
ommunity  and  author  of 
'ie  award-winning  book 


Career 

Witch 


Don’t  Twitter  Your 

Job  Prospects  Away 

ynu  doulil  th.inhmqs  mow  iasUn  our  higlily  connecter 

New  I  have  to  wctqh  the  utility  of 
laity  im*.  het  k  aqain  .1  tv.lt  ly  commute  San  Jo .. 
and  hatinq  the  work  T  im  Levad  ,11  Cisco  saw  the  Iwoel 
and  replied.  "Who  is  Ihe  luring  manager  I'm  sine  they  would 
love  lo  know  that  you  will  hale  the  work  We:  here  at  Cisco  are  versed  in  Ihe  web " 
And  that  same  day.  someone  else  established  Ihe  Web  site  CiscoFally  com  and 
shared  Ihe  slory.  No  one  seems  to  know  whether  theconnor  (or  Cisco  Fatty,  it 
you  prefer)  look  Ihe  job  or  nol.  bill  he  or  she  did  learn  a  lesson  and  instituted 
some  privacy  settings  on  Twitter.  01  course,  there's  a  lesson  lor  us  all  -  lo 
watch  what  we  say  and  to  whom. 


■  Q&A 

Steve  Gaudino 

»  The  COO  of 

Training  Camp  talks 
about  certification 
programs  for 
unemployed  IT  workers. 


Career  StewKitudino 

W^tch 


Don’t  Twitter  Your 
_  Job  Prospects  Away 

1  Do  you  doubt  that  things  move  last  in  out  highly  connected 

world?  In  mid-March,  someone  with  the  username  of 

Iheconnor  posted  a  public  tweet  on  Twitter  "Cisco 
' |usl  olleied  me  a  |ob!  Now  I  have  lo  weigh  the  utility  ol 

a  tatty  paycheck  against  the  daily  commute  to  San  Jose 
and  hating  the  work "  Tim  Levad  at  Cisco  saw  the  tweet 
and  replied.  "Who  is  the  hiring  manager.  I’m  sure  they  would 
love  to  know  that  you  will  hate  the  work.  We  here  at  Cisco  are  versed  in  the  web ' 
And  that  same  day.  someone  else  established  the  Web  site  CiscoFatty.com  and 
shared  the  story.  No  one  seems  to  know  whether  theconnor  (or  Cisco  Fatty,  if 
you  prefer)  took  the  job  or  not.  but  he  or  she  did  learn  a  lesson  and  instituted 
some  privacy  settings  on  Twitter.  Of  course,  there's  a  lesson  for  us  all  -  to 
watch  what  we  say  and  to  whom. 


Are  Layoffs  Too  Expensive? 

Maybe  some  IT  jobs  will  be  saved  if  enough  executives  read  a 
March  8  research  note  from  AMR  Research  Inc.’s  Phil  Fersht 
and  then  are  able  to  convince  the  top  brass  of  the  sense  of  Fer- 


Ihat  shouldthe  economy  recover  in  2010.  a  company  might 
derive  only  S50.000  to  $100,000  in  savings  from  each  IT 
layoff,  after  all  costs  have  been  incurred.  Then  Fersht  asks 
how  those  savings  stack  up  against  the  cost  of  replacing  the 
laid-off  employee  once  conditions  improve.  “How  can  you  pi 
a  price  on  replacing  the  inherent  business  knowledge  of  that 
staff  member  when  you  rehire  a  replacement?"  he  writes.  “It 
may  take  another  year  or  two  to  get  the  replacement  up 
to  speed,  and  will  not  only  end  up  costing  you 
more,  but  may  also  impede  your  executives 
from  accessing  critical  data  in  a  timely  fashion. , 

The  overall  cost  Qf  replacing  that  staff 
member  could  easily  be  three  times  the 
costs  saved  by  laying  her  off.  And  these 
easily-identified  direct  costs  are  only  . J 
the  beginning;  the  costs  incurred  to  , 


s.  How  has  that  affected  ployed  workers.  What's  the 


Bui  typically  what  we  find  is  when  documenlation  or  otherwise 


business  spending  cuts  back . 
we  usually  get  more  individuals, 
because  people  have  either  been 


believe  the  student  is  unemployed, 
were  going  to  help  him  pay  for  his 
training  by  covering  the  cost  of  his 


BEST  PLACES 

TO  WORK  IN  IT 

Take  this  opportunity  to 
show  why  your  company 
is  an  employer  of  choice 
to  the  IT  community! 

Over  1,000,000  qualified  IT 
professionals  will  be  looking 
to  this  must-read  issue  for 
future  career  opportunities. 

Don't  miss  out  on 
Computerworld’s  biggest 
and  most  anticipated  career 
issue  of  the  year! 

Issue  Date:  June  15th 
Space  Deadline:  June  1st 

For  details  contact: 

Dawn  Cora  at  508-820-8133 

dawn  cora@idgcommunications.com 


Sharklank 


Thanks,  Boss  -  Really! 

Management  decides  it's  final¬ 
ly  time  to  start  pushing  down 
Windows  updates,  and  there 
are  a  lot  of  them  since  SP2. 
But  one  user  is  sure  the  end¬ 
less  requests  to  reboot  must 
be  from  a  virus.  When  this  IT 
pilot  fish  tries  to  explain,  user 
gets  abusive  and  demands 
to  speak  to  fish's  manager. 

"I  put  the  user  on  hold,  went 
to  my  boss  and  gave  her  a 


mend  that  disciplinary  action 
be  taken.'  Click.  The  boss 
proceeded  to  use  very  colorful 
language,  picked  up  the  phone 
and  lived  up  to  her  promise, 
starting  with  the  VP.  From 
then  on  out,  we  were  told  to 
hang  up  on  people  like  this  and 
report  them." 

A  Little  Too  Much 

Pilot  fish  passes  along  a  mes¬ 
sage  sent  by  his  department's 


was  an  unexpected  result 
of  bringing  up  new  network 
equipment  for  the  network 
re-architect.  This  caused  our 
UPS  to  go  into  error  state  and 
send  a  power  spike.  Some  of 
the  equipment  could  not  han¬ 
dle  this  spike.  We've  tempo¬ 
rarily  migrated  the  power  off 
of  the  failed  devices  and  will 
schedule  a  time  to  migrate  the 
power  again  after  business 
hours.  We  will  also  be  work¬ 
ing  with  our  UPS  vendor  to 
look  at  the  UPS  to  verify  why 
this  happened  and  prevent  it 
from  happening  again."  Sighs 
fish,  “Ninety-eight  percent  of 
these  employees  would  have 
not  one  clue  as  to  what  was 
said  in  this  message." 


machine  has  virus  protection, 
and  every  one  runs  locked 
down  in  user-only  mode  to 
prevent  the  rogue  installation 
of  software.  But  we  have  de¬ 
cided  we  need  to  increase  our 
user  awareness  after  the  fol¬ 
lowing  ticket:  ‘I  just  received 
an  ominous  warning  that  my 
computer  was  infected  with 
several  viruses.  I  tried  run¬ 
ning  the  program  to  remove 
these  viruses  (as  it  indicated 
for  me  to  do),  but  I'm  not  sure 
it  worked.  I  wanted  to  let  you 
guys  know  in  case  there  is 
something  else  I  need  to  do.' " 
■  Do  this:  Send  Shorty  your 
true  tale  oflTlifeat  sharkyig 
computerworld.com.  Youll 


rundown,"  fish  says.  “She  '•  help  desk  to  all  employees  at 
picked  up  the  line  and  this  is  ;  his  location:  “At  10:35  a.m.,  j  At  Least  He  Asked 

what  I  heard: ‘This  is  Alice.  ;  we  had  a  power  spike  in  the  ;  Malware  from  the  Web  is 

Yes  ma'am,  new  update  policy.  server  room  that  caused  most  I  becoming  a  problem  where 
No  ma'am.  No  ma'am.  [Louder.  I  of  the  network  equipment  to  I  this  support  pilot  fish  works. 


O  NEED  TO  VENT  YOU*  SPLE“ 


I  FRANKLY  SPEAKING 

Frank  I  laves 


No  Panic  Required 


ED  UP  with  swine  flu  fearmongers?  Feeling  suspi¬ 
cious  that  the  people  whose  bird-flu  pandemic 
predictions  didn’t  pan  out  are  now  trying  for  a 
second  bite  at  the  apple?  You  should  be.  Yes,  the 
current  swine  flu  outbreak  is  a  real  health  problem.  In  some 
places,  it’s  also  a  real  economic  problem. 

But  a  real  problem  for  IT  shops?  It’s  time  for  a  reality  check. 


First,  the  health  prob¬ 
lem:  The  World  Health 
Organization  and  the 
U.S.  Centers  for  Disease 
Control  are  concerned 
about  this  new  strain  of 
flu.  They  should  be.  Flu 
kills  people  —  usually 
from  complications  such 
as  pneumonia,  usually 
the  elderly,  infants  or 
others  especially  at  risk. 
But  all  flu  strains  pose 
a  health  threat.  Every 
year,  flu  sends  200,000 
Americans  to  the  hospital 
—  and  it  kills  36,000. 

Flu  is  dangerous. 

That's  why  the  WHO 
and  the  CDC  are  making 
all  those  statements,  and 
why  governments  are 
telling  their  citizens  to 
avoid  unnecessary  travel 
to  Mexico,  where  the  dis¬ 
ease  first  emerged.  This 
new  strain  of  flu  isn't  kill¬ 
ing  its  victims  wholesale 
(in  contrast,  bird  flu  has 
killed  60%  of  those  who 
got  it  from  birds)  or  even 
sending  them  to  hospitals 
in  huge  numbers.  Mostly 


it  appears  to  be  just  a  bad 
case  of  the  flu. 

That’s  the  first  dif¬ 
ference  from  the  much- 
hyped  bird  flu.  Here's  the 
second:  This  strain  of 
swine  flu  can  be  treated 
effectively  with  standard 
influenza  drugs,  includ¬ 
ing  Tamiflu  and  Relenza. 

In  the  U.S.,  there  are 
federal  government 
stockpiles  of  at  least 
50  million  doses  of  these 
drugs.  That’s  about  half 
a  million  doses  for  each 
currently  confirmed  U.S. 
case  of  swine  flu.  And  we 

Yes,  we  need  to  be 
alert.  But  even  if  there 
are  more  outbreaks  in 
the  U.S.,  this  swine  flu 
can  be  contained  here 

■  What  we  know  for 
sure  about  this  out¬ 
break  of  swine  flu  is 
that  the  pandemic 
panic  peddlers  have 
their  economics 
backward. 


with  reasonable  precau¬ 
tions  (wash  your  hands 
frequently,  send  sick  em¬ 
ployees  home),  existing 
medicines  and  slightly 
increased  travel  controls. 

What  about  Mexico, 
with  its  thousands  sick 
and  hundreds  dead  from 
swine  flu?  It  turns  out 
that  many  early  reports 
lumped  all  respiratory 
deaths  in  Mexico  City 
into  the  "might  be  swine 
flu”  category.  The  num¬ 
ber  of  confirmed  cases 
—  and  the  number  of 
confirmed  swine-flu 
deaths  —  is  now  believed 
to  be  much  smaller. 

What  we  know  for 
sure  from  the  situation 
in  Mexico  City  is  that  the 
pandemic  panic  peddlers 
have  their  economics 
backward.  In  Mexico  City, 
government  orders  have 
shut  down  restaurants, 
theaters  and  other  places 
that  pose  a  risk  for  spread¬ 
ing  flu  virus.  That’s  ham¬ 
mering  the  local  economy 
and  idling  workers. 


The  problem  isn’t  that 
the  flu  is  leaving  busi¬ 
nesses  shorthanded  the 
way  pandemic  pundits 
predicted.  Instead,  shut¬ 
downs  are  leaving  busi¬ 
nesses  unable  to  afford 
regular  staffing  levels. 

So  there’s  little  likeli¬ 
hood  that  you’ll  need  to 
lay  in  a  supply  of  food, 
water,  fuel  and  face 
masks.  In  practice,  you’ll 
be  more  likely  to  lay 
people  off  than  to  lock 

Where  does  that  leave 
those  of  us  in  U.S.  IT 
shops?  In  the  middle  (see 
story,  page  14).  It’s  not  a 
nonevent  —  swine  flu  re¬ 
ally  does  pose  a  potential 
threat.  But  it’s  also  not  a 
business  crisis  we  need 
to  throw  money  at  in  the 
middle  of  a  recession. 

It’s  the  hardest  kind 
of  problem  for  U.S.  busi¬ 
nesses:  one  that  requires 
active  monitoring  but 
not  immediate,  drastic 

So  ignore  the  fear- 
mongers.  Just  be  vigilant, 
keep  your  coughs  and 
sneezes  to  yourself,  and 
tell  your  staffers  to  stay 
home  if  they’re  sick. 
That's  not  as  exciting  as 
pandemic  panic  —  just 
the  swine  flu’s  challeng¬ 
ing  reality.  ■ 

Frank  Hayes  is  Computer- 
world’s  senior  news 
columnist.  Contact  him 
atfrank_hayes@ 
computerworld.com. 


$2,969  (Save  $762)  $3,033  (Save  $350) 

(PN  519567-005)  (PN:532020-B211 


$3,499  (Save  $2,319) 


Special  0%  financing  for  up  to  36  months  also  available.1 
To  learn  more,  call  1-866-625-0808  or  visit  hp.com/go/G6superstar6 


m 


